[OpenID] Password age and password reset

Santosh Rajan santrajan at gmail.com
Wed May 13 16:55:06 UTC 2009 

Unlike the one to one scenario between the RP and user, we are scaling here. 
We might have "frivolous" RP's requesting password change at the drop of a
hat. I think we must give a chance for the OP to look at the merit of the
case before asking the user to change the password. This must be through a
separate channel not Openid. Also once the RP decides that the user has to
change the password the RP should inform the user and OP immediately and not
wait for him to log in again via OpenID. 


Breno de Medeiros wrote:
> 
> On Wed, May 13, 2009 at 9:18 AM, Santosh Rajan <santrajan at gmail.com>
> wrote:
>>
>> I think this subject is beyond the scope of OpenID. "Malicious activity"
>> can
>> be anything. The RP has to handle this separately.
> 
> True, but this proposal is to address the case when the RP normal
> response would be to ask the user to change the password.
> 
>> 1) Inform the user via email or when he logs in again or any appropriate
>> measure. Shut the account whatever.
> 
> In the scenario I described, the RP is already doing this messaging.
> It is just not as effective because the RP cannot forward the user to
> the password change flow.
> 
>> 2) OP's must have a separate channel where the RP's can report this.
> 
> And you claim that this cannot be standardized. Why?
> 
>> 3) And depending on what the "malicious activity" is, the RP may even
>> have
>> to report to concerned govt authorities depending on the law.
> 
> Yes.
> 
>> This has to be handled as an entirely different matter beyond the scope
>> of
>> OpenID.
> 
> Why?
> 
>>
>>
>> Breno de Medeiros wrote:
>>>
>>> Argh, I meant RP detects malicious activity on the user's account at
>>> the RP. There is no additional exchange of data between RP and OP in
>>> this scenario.
>>>
>>>
>>>>
>>>> 1. RP detects malicious activity on the user's account at the OP.
>>>>
>>>>
>>>> --
>>>> --Breno
>>>>
>>>> +1 (650) 214-1007 desk
>>>> +1 (408) 212-0135 (Grand Central)
>>>> MTV-41-3 : 383-A
>>>> PST (GMT-8) / PDT(GMT-7)
>>>>
>>>
>>>
>>>
>>> --
>>> --Breno
>>>
>>> +1 (650) 214-1007 desk
>>> +1 (408) 212-0135 (Grand Central)
>>> MTV-41-3 : 383-A
>>> PST (GMT-8) / PDT(GMT-7)
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>
>>
>> -----
>>
>> Santosh Rajan
>> http://santrajan.blogspot.com http://santrajan.blogspot.com
>> --
>> View this message in context:
>> http://www.nabble.com/Password-age-and-password-reset-tp23507470p23525117.html
>> Sent from the OpenID - General mailing list archive at Nabble.com.
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
> 
> 
> 
> -- 
> --Breno
> 
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 


-----

Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com 
-- 
View this message in context: http://www.nabble.com/Password-age-and-password-reset-tp23507470p23525842.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list